What is true for all main OSs (in desktop user form anyway)...

... is that once an attacker gets ordinary user level access, it's pretty much game over. Just about all of the linux vulnerabilities are local privilege escalation issue; no idea about windows (I don't get emails about them, I just install them every month) but I assume it's pretty much the same. And although this is a particularly large and easy hole to exploit, I bet there's more subtle ones in OSX as well.

The lesson from that pwn to own competition (no machine could be hacked just by having network access; all of them could be hacked* by exploiting a flash vulnerability) is that your vulnerability is linked directly into what you do with your system. If you're a desktop user, then things like that flash vulnerability have the potential to catch out ANY user on ANY system, without needing to click anything. On a server, the services you run and how well they're used (how exploitable is your dynamic website?) determine your vulnerabiliy.

Yes, you can customise your system to be more resistant to local-user attacks (especially if you run a multi-user system) but, pretty much, if someone gets local access it's game over.

The one thing that doesn't affect your vulnerability is OS, especially on servers. On desktops, of _course_ most people concentrate on the OS with the market share, but just coz the threat is lower doesn't affect your vulnerability.